Ownership of Files and Directories

When a web application or website is setup, the best practice is to reset file and directory permissions. By default, the owner of the system files are the user who uploaded files to the server. If you are the server manager, you may setup the systems by using root account. Then the default owner of the system is root that you should change it.

Someone may assign the owner apache who is in group apache. It should be much better than using root. But you may want to allow different users to access and update their own systems. A new user and group should be added for it.

Add new user

useradd -d /home/website/anson anson

The above command will create a new user "anson", assign the user to a new group "anson", and set the home directory of the new user as "/home/website/anson"

Set password for the user

passwd anson

You can follow the instructions to set the new password of the user "anson"

Change Ownership

chown -R anson:anson /home/website/anson

This command will set the owner user and owner group of all files and directories under the directory /home/website/anson as anson

Now if you login as anson, you have permission to access and update the files with ownership anson:anson only. But you may find that the account anson still can read other system files or directories. It is because the ownership and permissions for other systems have not been set correctly.

Permission of Files and Directories

In addition to the ownership, the permission of files and directories should also be configured. It will restrict the users to access to read and write the files or permission. There are three classes for permission: user, group and public. For each class, it has read, write and execute permissions. The followings are some examples:

– | r w x | r w x | r w x
all people have full permissions for the file

– | r w x | r w x | – – –
all people in the group have full permissions for the file but other people have no permissions

– | r w x | r – x – | – x
user has full permissions for the file, all people in the group cannot modify the file but they can read and execute the file, other people can execute the file only

The followings are the most common ways to set the permissions for a system.

Set Permission of all directories

find /home/website/anson -type d -exec chmod 755 {} \;

user: Full permissions
group: Read and Execute permissions
public: Read and Execute permissions 

Set Permission of all files

find /home/website/anson -type f -exec chmod 644 {} \;

user: Read and Write permissions
group: Read permissions
public: Read permissions

Set Permission for specific files and directories

Some files or directories should have special permissions. For example, the write permissions should be released to the cache and temporary directories. Some public users may need to upload files to the directories. Or the configuration should be read only by the user. Other users should be not possible to modify and read the configuration details. Here are some examples:

Allow the user to read and write the file configuration.php. Other users in the same group should be able to read the file. But the public user should have no permission to read, write or execute.

​chmod 640 /home/website/anson/configuration.php

Allow all users to upload files to the cache folder but the user and other users in the same group can modify the folder

chmod 775 /home/website/anson/cache/